[dns-operations] Logging queries for BIND DNS server
jim at rfc1035.com
Tue Jul 19 16:22:43 UTC 2016
> On 19 Jul 2016, at 11:02, Vithalprasad Gaitonde <gaitonde.vithalprasad at microsoft.com> wrote:
> We are trying to understand how query logging is typically deployed in BIND DNS server deployments.
So is everyone else. :-)
There probably isn't a typical deployment. Some don't log queries at all. Some log to a local file. Others log over the net -- watch for syslogd doing reverse lookups of the sending IP address => yet another DNS query to log. Sometimes these logs (via syslog or a local file) only get looked at after an incident. Others process the logs regularly and generate hourly/daily/weekly/whatever reports.
Some organisations take pcap dumps of ALL their DNS traffic. Sometimes tools like DSC or hedgehog get used to tap the network interface(s), sample DNS traffic and put that sampling data into a database that just grows and grows. IIUC dnstap is getting used by those who want real-time response to DNS traffic of interest (amongst other things).
There's no one-size-fits-all answer to your question. A documented "best practice" for DNS logging seems unlikely too. I've never come across one yet. This touches on lots of tricky areas that have different rules in different countries and settings: privacy, data protection/retention, regulatory requirements, corporate policy, etc, etc.
More information about the dns-operations